Step 2: Generate the CA Certificate

Once we have Tunnelblick installed, we can use the built-in copy of easy-rsa to generate all the certs we need. If you chose to install an alternative client in step 1, then you need to get easy-rsa on your own.

Tunnelblick installs easy-rsa in your local home directory:

$ cd "~/Library/Application Support/Tunnelblick/easy-rsa"

First thing we have to do is export the nice default variables they provide in vars and clean the environment. You can change them, but they are just defaults and you will be prompted for them later.

$ . vars
$ ./clean-all

This has now created the keys/ directory in this folder. This is where all the goodness will go.

Okay, now that everything is setup, we can finally make our global CA, the thing we’re going to use to sign all the device certificates. You can easily make this by running:

These two will be used later in the DD-WRT configuration, so hang on to them.

Step 4: Generate Diffie-Hellman Parameters

Now that we have a server certificate, we can make the Diffie-Hellman parameters for the SSL/TLS connection.

Easily done by running:

$ ./build-dh

And you’ll get a fantastic pem file like this one:

-rw-r--r-- 1 root wheel 244 Feb 17 18:50 dh1024.pem

We’ll use this later when configuring DD-WRT.

Step 5: Generate your Device Certificates

We’re going to make two devices here, an iPhone and Laptop. I’m going to call the devices by those names in this tutorial, but your names should be more unique to the devices themselves (like hostnames for example).

$ ./build-key iphone
$ ./build-key laptop

NOTE: I recommend creating passwords for these, but you don’t HAVE to.

Step 7: Configure the Firewall

Now that we have the service running, there’s some final configuration required to ensure that the VPNed traffic can talk to the internet AND the intranet (inside your network). Go to Administration and then Commands.

This part may look a little scary, but it’s very simple when you break down each command.

We’re going to put the following Firewall configuration into the Command Shell / Commands section.

Step 8: Configure your devices

Now that you have a server, you need to setup your different devices. Like I said before, we’re going to stick to the laptop and iphone device types we made before.

iPhone

Install OpenVPN Client (free on AppStore)

Create a folder to store stuff in locally (let’s call it iphone/)

Put the iphone.key, iphone.crt, and ca.crt in this directory

Create a new file called config.ovpn with the contents:

# Specify that we are a client and that we
# will be pulling certain config file directives
# from the server.
client
# Use the same setting as you are using on
# the server.
dev tun0
# Are we connecting to a TCP or
# UDP server? Use the same setting as
# on the server.
proto udp
# The hostname/IP and port of the server.
remote YOURHOSTNAMEHERE 1194
# Keep trying indefinitely to resolve the
# host name of the OpenVPN server. Very useful
# on machines which are not permanently connected
# to the internet such as laptops.
resolv-retry infinite
# Most clients don't need to bind to
# a specific local port number.
nobind
# Try to preserve some state across restarts.
persist-key
persist-tun
# SSL/TLS parms.
ca ca.crt
cert iphone.crt
key iphone.key
# Verify server certificate by checking
# that the certicate has the nsCertType
# field set to "server". This is an
# important precaution to protect against
# a potential attack discussed here:
# http://openvpn.net/howto.html#mitm
ns-cert-type server
# Enable compression on the VPN link.
comp-lzo
# Allow me to change my IP address
# and/or port number (if I get a new
# local IP address at Starbucks).
float

Open iTunes, go to your device, then Applications. At the very bottom you will see OpenVPN, click on it. Drag all four files you created in the iphone/ folder into the box on the right. This uploads them into the device. Click sync.

Open up the app on your phone, it will allow you to create a new profile based on this input.

Done! Connect to your network!

Laptop

Okay, the reason I said to do the iPhone first, was that the Laptop is basically the same thing!

Create a folder to store stuff in locally (let’s call it HomeVPN/)

Put the laptop.key, laptop.crt, and ca.crt in this directory

Create a new file called config.ovpn with similar contents as before (but replace iphone with laptop)